Global Courant 2023-05-20 11:00:00
Tejay Fletcher, founder of iSpoof website, jailed for 13 years and four months – PA
Millions of people receive calls from scammers and wonder who is on the other end of the line.
Now we know: rather than someone in a call center far away, a “smart young man” living in a lavish flat in London has been exposed as the mastermind behind so many of these calls.
The trial of Tejay Fletcher exposed how criminals used a simple website to bypass police, operators and banks to facilitate “industrial-scale fraud”, scamming victims out of £100 million of their hard-earned cash.
Fletcher, 35, who ran the website iSpoof.cc, was sentenced earlier this week to 13 years and four months in prison following his 2019 arrest in what is the UK’s largest anti-fraud operation.
The website enabled criminals to disguise their phone numbers in a process known as “spoofing” and trick unsuspecting people into believing they were being called by their bank or other institutions.
Fletcher’s luxury lifestyle
When police arrested Fletcher and raided his home, a rented apartment in East London overlooking the Royal Victoria Dock and the city skyline, they found riches including a £230,000 Lamborghini, two Range Rovers worth £120,000 and an £11,000 Rolex.
A Lamborghini Urus worth £230,000 was among Tejay Fletcher’s riches – Metropolitan Police/PA
There was also an ATM, jewelry and an Audemars Piguet watch that appeared to be a fake.
It was a far cry from the early years of his life, which he spent in successive foster homes, according to his lawyer.
The son of a single mother who “just couldn’t handle it”, his path to crime was lined with stolen cars and the consumption of cannabis, Southwark Crown Court heard.
In 2020, he co-founded iSpoof.cc, which he built into what he called “the most advanced client spoofing platform available”, allowing scammers to change the number or identity displayed when they call so that it appear to be calling from a trusted organization, often a bank or a bank’s fraud department.
After he made nearly £2 million in profits, the police finally caught him and took down the site.
His website was widely used fraudulent activities in the UK — but copycats have since taken their place and others continue to fall victim to these scams, experts warn.
Story continues
How victims were scammed
The number of people using iSpoof rose to 69,000 at its peak, with as many as 20 people per minute being targeted by callers using the site.
In the year to August 2022, more than 10 million fraudulent calls were made using iSpoof, 3.5 million of them in the UK, the prosecution said. More than 200,000 victims in the UK – many of them elderly – lost £43 million, while global losses exceeded £100 million.
For a basic subscription of £150 per month, users were given a set number of minutes to make automated bot calls using the website or app version. They could then pay extra for extra features, leading to packages worth hundreds, even thousands, of pounds per month.
Website iSpoof facilitated 10 million fraudulent calls, police estimate – Metropolitan Police/PA
Users could only pay via Bitcoin – a currency favored by many criminals because it is more difficult to trace payments.
Victims often received an automated phone call asking them to confirm a transaction on an account.
The website allowed them to intercept one-time passwords, which were “ironically” introduced by banks to heighten their security measures, John Ojakovoh noted, continuing.
iSpoof provided scammers with additional features that allowed victims to type a phone PIN after being prompted by an automated call.
Users could also pay for the ability to track calls live, or make calls as if they came from an establishment that had old card details on file and wanted new ones.
Scammers can determine what the automated call would say to recipients and access tools such as speech recognition.
As part of its marketing, iSpoof promised users security and anonymity. They were told that call logs and IP addresses were not saved, so their “tracks were covered”.
Typically, scammers already have some banking information about their victims, often obtained through the use of smishing – bulk fake texts sent to people – or purchased elsewhere online.
The Telegram channel
iSpoof had a channel on Telegram, a social media platform, which it used to communicate with its customers and promote itself, the prosecution said.
The Telegram channel also ran ads from companies selling banking information.
Fletcher would use it to conduct “market research”, conducting polls to find out what features users wanted most.
Other posts “encouraged” scammers to scam people, the prosecution said. In a January 2022 post, Fletcher wished customers a “Happy New Year” and wrote, “All back to work, back to getting that bag. Make this year special, pile those Satoshis (a reference to Bitcoin’s supposed inventor) .”
Fletcher wasn’t particularly tech-savvy, but he used a website called freelancer.com to hire programmers to create the site’s “building blocks.” A programmer even warned him that she believed what he was asking her to do was illegal and could land her in jail, reports prosecutors had seen revealed.
His lawyer said he initially intended to create a simple website, but his co-founder suggested ways the technology could be made more advanced, prompting him to do so. In 2021, he and his co-founder “got into a fight” and Fletcher ousted him and replaced him with three other trustees he appeared to be running. In one post, Fletcher was seen chastising another administrator for “not working hard enough,” according to the prosecution.
When Fletcher took control of iSpoof, the profits received experienced a “rapid increase” from 5 Bitcoin to 117, prosecutors said. Fletcher received 64.38 Bitcoin, worth just under £2 million.
How the police solved the case
The police pretended to be iSpoof customers, paid a trial subscription in Bitcoin and tested the website. They traced the money they paid to iSpoof and eventually discovered that the “lion’s share” of the profits went to Fletcher.
They obtained a copy of the website’s server, which revealed call logs further incriminating Fletcher and the scammers using his website.
Helen Rance, from the Metropolitan Police Cyber Crime Unit, speaks outside Southwark Crown Court, London, after Tejay Fletcher’s jail time – James Manning/PA
As it turns out, Fletcher had also misled the scammers when he claimed he didn’t store any of their information, prosecutors said.
After his arrest in 2019, he initially pleaded not guilty. After seeing the evidence against him, he changed his plea.
According to his lawyers, Fletcher wanted his victims to know that he was genuinely sorry for the “misery” he had caused.
He suffered and continues to suffer from anxiety and depression, for which he sought help prior to his arrest, his lawyer said.
His lawyer, Simon Baker KC, described him as an “exceedingly clever young man” and said, “It is extremely unfortunate that the intellect was not used for profitable activities.”
Fletcher, who recently became a father, regularly donates part of his wealth to CYL, a charity, for projects to help young men with mental health problems, his lawyer said.
Before his arrest, he had considered setting up a company to provide buses for charity, and had secured a place at an acting school before his arrest. His lawyer said this underlined the potential for his rehabilitation.
Brought to court
While Fletcher remains behind bars, others are being investigated as well. About 120 suspected phone scammers have been arrested, 103 of them in London.
Chris Ainsley, head of fraud risk management at Santander UK, said it was “great to see criminals committing these scams being brought to justice”, but warned: “The risk of fraud and scams is always there.
“We continue to see thousands of cases where scammers impersonate official bodies, such as a bank, the police or HMRC, spoofing phone numbers to persuade and pressure victims to act.”
Jim Winters, economic crime director at Nationwide, said iSpoof drove a “significant percentage of the fraudulent activity” banks saw at the time, and said banks now have more anti-spoofing controls.
He said most banks are now signed up to an anti-fraud list maintained by telecoms regulator Ofcom, known as the “don’t origin” list, which records phone numbers used by genuine businesses or government departments to receive calls, but never used. used for outgoing calls. The list is shared with telecom providers and their intermediaries to help them identify and block scam calls.
These numbers, such as those on the back of debit cards or listed as fraud helplines on a bank’s website, are most at risk of being counterfeited. However, some banks have not disclosed all relevant figures on the regulator’s list, according to a survey by Which?, the consumer group, last November.
Signing up for this list is not mandatory and Ofcom does not publish who is and is not on it, citing security reasons.
In addition, adding a number to the list does not guarantee that all calls will be blocked, Ofcom said. Not all phone providers apply this list to their calls, and for those that do, technical limitations mean that some calls can sneak in anyway.
Mr Winters said more companies, not just banks, should be added to this list.
Social media companies like Telegram are also not held responsible for hosting content from scam websites like iSpoof, according to banking industry sources, who want to see them take more responsibility.
Despite their best efforts, Mr Winters said it would be unfair to burden all police departments with full responsibility for police fraud. The police only spend 2 percent of their money on fraud despite representing 40 percent of all crime, Which? found earlier this year.
Mr Winters said it was welcome for police to go after “kingpins” like Fletcher who are behind such a large number of these calls.
But Steve Goddard, a fraud expert at Featurespace, said number spoofing scams are still prevalent, with criminals creating new versions of iSpoof.
He said, “It’s like a hydra, you cut off one head and two grow back.”
